SANS Digital Forensics and Incident Response Blog: Author - Ray Strubinger

Digital Forensics Case Leads: Free tools, Treasure Hunts, Drive-by Attacks and Spying

This week's Case Leads features two free tools from AccessData and Paraben Corporation, a digital (forensics) treasure hunt to test your skills, spying, drive-by (browser) attacks and consequences resulting from Stuxnet.

As always, if you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to caseleads@sans.org.

Tools:

  • Earlier this month AccessData released a new version of their popular (and free) utility, the FTK Imager. Version 3 has a number of useful features such as the ability to boot forensic images in VMWare and the ability to mount AFF, DD, E01, and S01 image formats as physical devices or logical drive letters. The latest version of the application also supports HFS+, VxFS (Veritas File System), exFAT, EXT4, Microsoft's VHD (Virtual Hard Disk) and compressed and uncompressed DMG

...


Digital Forensics Case Leads: An OS X based Live CD, a Free Forensics App for Windows, Spying, and High Performance Password Cracking

This week's edition of Case Leads features an OS X based Live CD, a free tool for gathering evidence from HBGary, spying, and the threat video cards pose to passwords.

As always, if you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to caseleads@sans.org.

Tools:

  • Creating an OS X Incident Response CD for Live Response -Tom Webb has a write up that discusses the process for building a basic OS X based CD for live analysis. The how-to addresses a few unique features of OS X and includes a method for dealing with OS X's non-static binaries. Suggestions for binaries to include on the CD and commands useful for IR on OS X are covered. Tom has also included a starter script that will help with information gathering during the IR

...


Digital Forensics Case Leads: Spies, Social Networking Experiments, Live CDs & More

This "007" edition of Case Leads (20100708) features Russian spies, a mini-write blocker that would make Q proud, an experiment in social networking, Live CDs for Windows and Linux and an online journal on small digital device forensics.

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to caseleads@sans.org.

News:


Digital Forensics Case Leads: New RegRipper Feature, An Open Letter to Judges, the DFRWS Challenge and How Not to Seize Smart Phones

This week's installment of Digital Forensics Case Leads features a couple of tools useful for reviewing Window's systems. There is an announcement about a new feature of RegRipper and we have an open letter to the court on the use of neutral digital forensic examiners. The 2010 DFRWS Challenge is underway and law enforcement experiences the remote wiping feature of smart phones.

Keep those suggestions and topics for Digital Forensics Case Leads coming to caseleads at sans.org!

Tools:

  • Miss Identify is a cross-platform tool developed by Jesse Kornblum that identifies mislabeled Window's executables. A mislabeled executable is any executable without an executable extension of exe, dll, com, sys, cpl, hxs, hxi, olb, rll, or tlb.
  • If you've ever lost a software application key, (or need to audit installed software) the

Digital Forensics Case Leads: New Gear, New PDFs Abuse, and Defeating TrueCrypt

Logicube releases new forensics gear, Didier Stevens discovers a new way to do interesting things with a PDF and a cooperative user, and Passware provides a means to defeat TrueCrypt.

Logicube has released two devices which look interesting. The MPFS or Massive Portable Forensic Storage provides up to 8TB of storage capacity for acquiring multiple images. The device may be attached to a forensic analyst's workstation via firewire, USB, or eSATA. The unit is compatible with Logicube's Dossier imager and Logicube's second new device, the NETConnect which as the name suggests, allows network access to forensic images. Based on the description, NETConnect is essentially a file server which enables multiple investigators to access forensic images as soon as they are acquired. The device supports Windows, Mac, and Linux and includes support for CIFS and NFS. (I've not had the opportunity to test either device but if Logicube or anyone else wants to send me a set, I will be

... Continue reading Digital Forensics Case Leads: New Gear, New PDFs Abuse, and Defeating TrueCrypt